// VerifyUserSig verifies that the user-signature of UIDMessage is valid. func (msg *Message) VerifyUserSig(preMsg *Message) error { var ed25519Key cipher.Ed25519Key // check message counter if preMsg.UIDContent.MSGCOUNT+1 != msg.UIDContent.MSGCOUNT { return log.Error(ErrIncrement) } // get content content := msg.UIDContent.JSON() // get self-signature selfsig, err := base64.Decode(msg.USERSIGNATURE) if err != nil { return err } // create ed25519 key pubKey, err := base64.Decode(preMsg.UIDContent.SIGKEY.PUBKEY) if err != nil { return err } if err := ed25519Key.SetPublicKey(pubKey); err != nil { return err } // verify self-signature if !ed25519Key.Verify(content, selfsig) { return log.Error(ErrInvalidUserSig) } return nil }
// Verify verifies that the KeyInit is valid and contains a valid ECDHE25519 // key. func (ki *KeyInit) Verify(keyInitRepositoryURIs []string, sigPubKey string) error { // The REPOURI points to this KeyInit Repository if !util.ContainsString(keyInitRepositoryURIs, ki.Contents.REPOURI) { log.Error(ErrRepoURI) return ErrRepoURI } // verify that SESSIONANCHORHASH matches decrypted SESSIONANCHOR sa, err := ki.SessionAnchor(sigPubKey) if err != nil { return err } // get KeyEntry message from SessionAnchor ke, err := sa.KeyEntry("ECDHE25519") if err != nil { return err } // verify KeyEntry message if err := ke.Verify(); err != nil { return err } // NOTAFTER and NOTBEFORE are valid if ki.Contents.NOTBEFORE >= ki.Contents.NOTAFTER { log.Error(ErrInvalidTimes) return ErrInvalidTimes } // not expired if ki.Contents.NOTAFTER < uint64(times.Now()) { log.Error(ErrExpired) return ErrExpired } // SIGNATURE was made with UIDMessage.UIDContent.SIGKEY over Contents var ed25519Key cipher.Ed25519Key sig, err := base64.Decode(ki.SIGNATURE) if err != nil { return err } pubKey, err := base64.Decode(sigPubKey) if err != nil { return err } // create ed25519 key ed25519Key.SetPublicKey(pubKey) // verify self-signature if !ed25519Key.Verify(ki.Contents.json(), sig) { log.Error(ErrInvalidKeyInitSig) return ErrInvalidKeyInitSig } return nil }
// VerifyNonce verifies the nonce signature with the given sigPubKey. func VerifyNonce(sigPubKey string, nonce uint64, signature string) error { var ed25519Key cipher.Ed25519Key sig, err := base64.Decode(signature) if err != nil { return err } pubKey, err := base64.Decode(sigPubKey) if err != nil { return err } if err := ed25519Key.SetPublicKey(pubKey); err != nil { return err } if !ed25519Key.Verify(encode.ToByte8(nonce), sig) { return log.Error(ErrInvalidNonceSig) } return nil }
// VerifySrvSig verifies the signature with the srvPubKey. func (ki *KeyInit) VerifySrvSig(signature, srvPubKey string) error { var ed25519Key cipher.Ed25519Key // get server-signature sig, err := base64.Decode(signature) if err != nil { return err } // create ed25519 key pubKey, err := base64.Decode(srvPubKey) if err != nil { return err } ed25519Key.SetPublicKey(pubKey) // verify server-signature if !ed25519Key.Verify(ki.JSON(), sig) { log.Error(ErrInvalidSrvSig) return ErrInvalidSrvSig } return nil }
// VerifySelfSig verifies that the self-signature of UIDMessage is valid. func (msg *Message) VerifySelfSig() error { var ed25519Key cipher.Ed25519Key // get content content := msg.UIDContent.JSON() // get self-signature selfsig, err := base64.Decode(msg.SELFSIGNATURE) if err != nil { return err } // create ed25519 key pubKey, err := base64.Decode(msg.UIDContent.SIGKEY.PUBKEY) if err != nil { return err } if err := ed25519Key.SetPublicKey(pubKey); err != nil { return err } // verify self-signature if !ed25519Key.Verify(content, selfsig) { return log.Error(ErrInvalidSelfSig) } return nil }
// VerifySrvSig verifies that the server-signature of MessageReply is valid. func (reply *MessageReply) VerifySrvSig(msg *Message, srvPubKey string) error { // make sure messages match UIDHash, UIDIndex, _ := msg.Encrypt() idx, msg, err := reply.Decrypt(UIDHash) if err != nil { return err } if !bytes.Equal(idx, UIDIndex) { return log.Error(ErrMsgMismatch) } if !bytes.Equal(msg.JSON(), msg.JSON()) { return log.Error(ErrMsgMismatch) } // verify server signature var ed25519Key cipher.Ed25519Key // get content content := reply.ENTRY.json() // get server-signature sig, err := base64.Decode(reply.SERVERSIGNATURE) if err != nil { return log.Error(err) } // create ed25519 key pubKey, err := base64.Decode(srvPubKey) if err != nil { return log.Error(err) } if err := ed25519Key.SetPublicKey(pubKey); err != nil { return err } // verify server-signature if !ed25519Key.Verify(content, sig) { return log.Error(ErrInvalidSrvSig) } return nil }